Opening the Blackbox of VirusTotal: Analyzing Online Phishing Scan Engines

Proceedings of the Internet Measurement Conference 2018 Pub Date : 2019-10-21 DOI:10.1145/3355369.3355585

Peng Peng, Limin Yang, Linhai Song, Gang Wang

{"title":"Opening the Blackbox of VirusTotal: Analyzing Online Phishing Scan Engines","authors":"Peng Peng, Limin Yang, Linhai Song, Gang Wang","doi":"10.1145/3355369.3355585","DOIUrl":null,"url":null,"abstract":"Online scan engines such as VirusTotal are heavily used by researchers to label malicious URLs and files. Unfortunately, it is not well understood how the labels are generated and how reliable the scanning results are. In this paper, we focus on VirusTotal and its 68 third-party vendors to examine their labeling process on phishing URLs. We perform a series of measurements by setting up our own phishing websites (mimicking PayPal and IRS) and submitting the URLs for scanning. By analyzing the incoming network traffic and the dynamic label changes at VirusTotal, we reveal new insights into how VirusTotal works and the quality of their labels. Among other things, we show that vendors have trouble flagging all phishing sites, and even the best vendors missed 30% of our phishing sites. In addition, the scanning results are not immediately updated to VirusTotal after the scanning, and there are inconsistent results between VirusTotal scan and some vendors' own scanners. Our results reveal the need for developing more rigorous methodologies to assess and make use of the labels obtained from VirusTotal.","PeriodicalId":20640,"journal":{"name":"Proceedings of the Internet Measurement Conference 2018","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2019-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"80","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Internet Measurement Conference 2018","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3355369.3355585","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 80

Abstract

Online scan engines such as VirusTotal are heavily used by researchers to label malicious URLs and files. Unfortunately, it is not well understood how the labels are generated and how reliable the scanning results are. In this paper, we focus on VirusTotal and its 68 third-party vendors to examine their labeling process on phishing URLs. We perform a series of measurements by setting up our own phishing websites (mimicking PayPal and IRS) and submitting the URLs for scanning. By analyzing the incoming network traffic and the dynamic label changes at VirusTotal, we reveal new insights into how VirusTotal works and the quality of their labels. Among other things, we show that vendors have trouble flagging all phishing sites, and even the best vendors missed 30% of our phishing sites. In addition, the scanning results are not immediately updated to VirusTotal after the scanning, and there are inconsistent results between VirusTotal scan and some vendors' own scanners. Our results reveal the need for developing more rigorous methodologies to assess and make use of the labels obtained from VirusTotal.

查看原文本刊更多论文

打开VirusTotal的黑盒子:分析在线钓鱼扫描引擎

像VirusTotal这样的在线扫描引擎被研究人员大量用于标记恶意url和文件。不幸的是，目前还不清楚标签是如何产生的，以及扫描结果的可靠性如何。在本文中，我们将重点关注VirusTotal及其68家第三方供应商，以检查他们对网络钓鱼url的标签流程。我们通过建立我们自己的网络钓鱼网站(模仿PayPal和IRS)并提交url进行扫描来执行一系列测量。通过分析VirusTotal的传入网络流量和动态标签变化，我们揭示了VirusTotal如何工作及其标签质量的新见解。除此之外，我们发现供应商在标记所有的网络钓鱼网站时遇到了困难，即使是最好的供应商也错过了30%的网络钓鱼网站。另外，扫描后扫描结果不会立即更新到VirusTotal，并且VirusTotal扫描结果与部分厂商自带的扫描结果不一致。我们的研究结果表明，需要开发更严格的方法来评估和利用从VirusTotal获得的标签。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the Internet Measurement Conference 2018

自引率

0.00%

发文量

文献相关原料

公司名称	产品信息	采购帮参考价格